b'The Council of the Inspectors General\n    on Integrity and Efficiency\xe2\x80\x99s\n    Cloud Computing Initiative\n\n\n\n\n                            September 2014\n\x0c\x0cCouncil of the Inspectors General on Integrity and Efficiency Cloud\nComputing Initiative\n\nExecutive Summary\nFederal agencies have looked to leverage the benefits of cloud computing by incorporating cloud\ncomputing systems into their overall information technology (IT) environment. In response, the\nCouncil of the Inspectors General on Integrity and Efficiency\xe2\x80\x99s (CIGIE) IT Committee began a\nGovernment-wide initiative to evaluate participating agencies\xe2\x80\x99 efforts when adopting cloud\ncomputing technologies. As part of this consolidated cloud computing review, the\n19 participating Offices of Inspector General (OIG) (see Appendix A) selected a sample of 77\ncommercial cloud contracts that Federal agencies issued as they transitioned to a cloud system. 1\nThese contracts have a value of approximately $1.6 billion (from a universe of 348 contracts\ntotaling about $12 billion). 2 Each participating OIG reviewed its sampled contract(s)\nindependently based on a standardized matrix of questions and verified its results through the\nrespective OIG\xe2\x80\x99s internal quality control processes. Once the OIGs validated their results, they\ntransmitted the results to the U.S. Department of Agriculture OIG for consolidation. Due to the\nvariances in Federal contracts, not every element that was tested was applicable to every contract\nin the sample.\n\nThe majority of the participating OIGs have issued reports (See Appendix B), or plan to issue\nreports over the next few months, with agency specific recommendations. 3\n\nThe testing that the OIGs conducted as part of the CIGIE initiative indicated that participating\nFederal agencies have not fully considered and implemented existing Federal guidance, the\nagencies\xe2\x80\x99 policies, and best practices when developing requirements for cloud computing\ncontracts. The specificity of the requirements incorporated into the contracts used to procure\ncloud systems varied across the sample, with all 77 contracts lacking the detailed specifications\nrecommended in Federal cloud computing guidelines and best practices documentation.\nAdditionally, 59 cloud systems reviewed did not meet the requirement to become compliant with\nthe Federal Risk Authorization and Management Program (FedRAMP) by June 5, 2014, even\nthough the requirement was announced on December 8, 2011. 4 Finally, as the OIGs were\nvalidating their respective inventories, 9 of the 19 agencies found that they did not have an\naccurate and complete inventory of their cloud systems. These issues occurred in part because\n1\n  The total sample of commercial cloud contracts reviewed by the 19 OIGs was 77. However, the applicability of\neach question varied by contract. This resulted in a total response of less than 77 for some questions. For reporting\npurposes, the number reported is the number of \xe2\x80\x98No\xe2\x80\x99 responses per question for the total sample of 77 contracts.\n2\n  Due to the problems with validating the inventory for some participating agencies, the 348 contracts totaling $12\nbillion is based on the 348 known contracts identified by the participating agencies. Therefore, the actual dollar\namount may be larger because the participating OIGs could not identify all of the cloud contracts. See Section 3 of\nthis report.\n3\n  Some OIGs that are not issuing a report have discussed their findings with the agency and/or plan to include their\nfindings in another report (i.e., their 2014 Federal Information Security Management Act report).\n4\n  One agency, which accounts for 4 of the 59 contracts, is not required to follow National Institute of Standards and\nTechnology (NIST) or FedRAMP guidance. However, the agency has chosen to comply with some of the NIST\nstandards and developed a cloud security policy requiring its cloud service providers to be FedRAMP-certified.\n\n\n                                                                                                                    1\n\x0cthere is no single authoritative source that details the specifications agencies should consider\nwhen procuring cloud computing services and that requires Federal agencies to incorporate those\nspecifications into cloud computing contracts. Additionally, although the Office of Management\nand Budget (OMB) established FedRAMP via a policy memorandum that also created the Joint\nAuthorization Board (JAB) and the Program Management Office (PMO) to facilitate the\nFedRAMP authorization process, neither the JAB nor the PMO has the authority to enforce\nFedRAMP compliance within the individual agencies. 5 Since there is no discernable penalty for\nnoncompliance and no singular governing body with the authority to enforce compliance, the\nagencies do not have an incentive to timely comply with FedRAMP requirements and therefore\ndid not adequately plan in order to meet the June 5, 2014 deadline. Finally, many of the agencies\nthat participated in the initiative had difficulty obtaining an accurate cloud system inventory due\nto a failure by agencies to report all cloud systems and a lack of consistency in applying cloud\ndefinitions.\n\nBased on the findings in the report, none of the 19 participating agencies had adequate controls\nin place to manage its cloud service providers (CSP) and the data that reside within its cloud\nsystems. This subjects Federal data to the risk of loss or exposure to unauthorized parties and\ncould compromise both Federal program and personal data. Furthermore, because 42 contracts\ntotaling approximately $317 million did not specify how a CSP\xe2\x80\x99s performance would be\nmeasured, reported, or monitored, the agencies are not able to ensure CSPs meet adequate\nservice levels, which increases the risk that agencies could misspend or ineffectively use\nGovernment funds.\n\nCIGIE\xe2\x80\x99s objective was to evaluate participating agencies\xe2\x80\x99 efforts when adopting cloud\ncomputing technologies and to review cloud service contracts for compliance with applicable\nstandards.\n\nCIGIE recommends that OMB:\n\n    \xe2\x80\xa2   Establish standardized contract clauses that agencies must use when adopting cloud\n        computing technologies;\n    \xe2\x80\xa2   Determine how best to enforce FedRAMP compliance;\n    \xe2\x80\xa2   Establish a process and reporting mechanism to ensure Federal agencies require CSPs to\n        meet the FedRAMP authorization requirements in a timely manner; and\n    \xe2\x80\xa2   Incorporate routine reviews of agency information system inventories into the continuous\n        monitoring process.\n\n\n\n\n5\n  The JAB performs risk authorizations and grants the provisional FedRAMP authorization for the cloud system.\nMembers of the JAB consist of the Chief Information Officers from the Department of Defense, Department of\nHomeland Security, and General Services Administration, and are supported by designated technical representatives\nfrom their respective member organizations.\n\n\n2\n\x0cTable of Contents\nBackground and Objectives ....................................................................................4\nSection 1: Cloud Contracting .................................................................................7\n   Finding 1: Federal Agencies Need to Include More Detailed Cloud\n   Contracting Specifications ...................................................................................7\n         Recommendation 1 ......................................................................................11\nSection 2: FedRAMP Compliance .......................................................................12\n   Finding 2: Federal Agencies Must Meet FedRAMP Requirements .............12\n         Recommendation 2 ......................................................................................13\n         Recommendation 3 ......................................................................................13\nSection 3: Cloud Inventory Management ...........................................................14\n   Finding 3: Federal Agencies Must Develop Accurate Cloud System\n   Inventories ...........................................................................................................14\n         Recommendation 4 ......................................................................................15\nScope and Methodology .........................................................................................16\nAbbreviations .........................................................................................................18\nAppendix A: List of Participating Offices of Inspector General.......................19\nAppendix B: Individual Reports Issued as Part of the CIGIE Cloud\nComputing Initiative ..............................................................................................20\n\n\n\n\n                                                                                                                         3\n\x0cBackground and Objectives\nBackground\n\nThe Council of the Inspectors General on Integrity and Efficiency (CIGIE) was statutorily\nestablished as an independent entity within the executive branch by the Inspector General\nReform Act of 2008, Public Law 110-409. The mission of CIGIE is to:\n\n       \xe2\x80\xa2   Address integrity, economy, and effectiveness issues that transcend individual\n           government agencies; and\n\n       \xe2\x80\xa2   Increase the professionalism and effectiveness of personnel by developing policies,\n           standards, and approaches to aid in the establishment of a well-trained and highly\n           skilled workforce in the Federal Inspector General (IG) community.\n\nCIGIE Information Technology Committee\n\nThe CIGIE Information Technology (IT) Committee\xe2\x80\x99s mission is to facilitate effective IT audits,\nevaluations, and investigations by Offices of Inspector General (OIGs), and to provide a vehicle\nto express the IG community\xe2\x80\x99s perspective on Government-wide IT operations. Under its\noperating principles, this committee strives to promote participation by the IG community\nmembers in its activities; encourage communication and cooperation with colleagues in the IT\nfield (including Federal Chief Information Officers and staff, and IT security professionals); and\npromote effective teamwork in addressing Government-wide initiatives, improving Federal\nGovernment IT activities, and safeguarding national IT assets and infrastructure.\n\nThe CIGIE IT Committee announced this initiative to perform a Government-wide review of\nagency cloud computing efforts to CIGIE members and 19 OIGs participated. 6 This review was\nmodeled after an audit issued by the National Aeronautics and Space Administration (NASA)\nOIG on NASA\xe2\x80\x99s progress in adopting cloud computing technologies. 7 The U.S. Department of\nAgriculture (USDA) OIG agreed to coordinate this effort and prepare the consolidated report.\n\nCloud Computing Technology\n\nThe term \xe2\x80\x9ccloud computing\xe2\x80\x9d refers to information technology systems, software, and\ninfrastructure that a service provider packages and sells to customers. The National Institute of\nStandards and Technology (NIST) describe the following five essential components of cloud\nsystems, which are: 8\n\n\n6\n  Federal Departments, Agencies, and other Federal entities were reviewed as part of the initiative. For our purposes\nin this report, all are referred to as Federal agencies throughout the report. See Appendix A for a list of participating\nOIGs.\n7\n  IG-13-021, NASA\xe2\x80\x99s Progress in Adopting Cloud-Computing Technologies, July 29, 2013\nhttp://oig.nasa.gov/audits/reports/FY13/IG-13-021.pdf.\n8\n  NIST Special Publication (SP) 800-145, The NIST Definition of Cloud Computing, September 2011.\n\n\n4\n\x0c      \xe2\x80\xa2    On-demand self-service: The customer is able to provision computing capabilities with\n           the service provider, as needed, without requiring human interaction.\n\n      \xe2\x80\xa2    Broad network access: The customer accesses the capabilities (such as storage, servers,\n           and databases) of the service provider through a network connection.\n\n      \xe2\x80\xa2    Resource pooling: The customer shares vendor services with other customers.\n\n      \xe2\x80\xa2    Rapid elasticity: The service provider\xe2\x80\x99s system allows the customer to rapidly expand\n           or contract required computing resources.\n\n      \xe2\x80\xa2    Measured service: The customer\xe2\x80\x99s payment for use of the cloud system is determined\n           by a measured capability (such as seat licenses or storage used).\n\nCloud computing offers the potential for significant cost savings through more efficient delivery\nof computing resources, flexible payments that increase or decrease based on needed resources,\nand a decreased need to buy hardware or build data centers.\n\nTo accelerate the Federal Government\xe2\x80\x99s use of cloud computing strategies, the U.S. Chief\nInformation Officer published the Federal Cloud Computing Strategy, requiring agencies to\nevaluate safe, secure cloud computing options before making any new IT investments. 9,10 Based\non this \xe2\x80\x9ccloud first\xe2\x80\x9d policy, Federal agencies are to evaluate cloud services for new IT projects in\nan effort to realize the value of cloud computing through cost savings.\n\nIn addition to risks that resemble those of in-house information systems, cloud technologies have\nrisks that are unique to a cloud system\xe2\x80\x99s deployment. For example, when using a cloud system,\nthe customer relinquishes its ability to govern the system. Specifically, the client cedes control\nto the cloud service provider (CSP) on a number of issues that may affect security of the systems,\nsuch as incident management or patch management. 11,12 At the same time, service level\nagreements (SLAs) may not require CSPs to offer such services, thus leaving a gap in security\ndefenses. 13,14\n\nAs part of the consolidated cloud computing initiative, on behalf of CIGIE, USDA OIG received\ntesting results from the 19 participating OIGs, resulting in a review of 77 contracts with a\n\n9\n  Kundra, V., Federal Cloud Computing Strategy, February 8, 2011.\n10\n   One of the agencies that participated in the cloud computing initiative is not required to follow OMB guidance.\n11\n   Incident management helps personnel to minimize loss or theft of information and disruption of services caused\nby incidents as well as to properly address legal issues that may arise during incidents.\n12\n   A patch is a small piece of software that is used to correct a problem with a software program or an operating\nsystem. Most major software companies will periodically release patches, usually downloadable from the internet,\nthat correct very specific problems or security flaws in their software programs.\n13\n   European Network and Information Security Agency (ENISA) Cloud Computing: Benefits, Risks and\nRecommendations for Information Security, November 2009.\n14\n   An SLA is a document describing the level of service a customer expects from a provider. It lays out the metrics\nby which the customer will measure service, and the remedies or penalties, if any, should the supplier not achieve\nagreed-on levels.\n\n\n                                                                                                                      5\n\x0creported value of approximately $1.6 billion (from a universe of 348 contracts with a value of\napproximately $12 billion). Although the total sample of contracts reviewed by the 19 OIGs was\n77, the applicability of each question in the standardized matrix of questions varied by\ncontract. This resulted in a total response of less than 77 for some questions. For reporting\npurposes, the number reported is the number of \xe2\x80\x98No\xe2\x80\x99 responses per question for the total sample\nof 77 contracts.\n\nObjective\nThe objective of the CIGIE cloud computing initiative was to evaluate participating agencies\xe2\x80\x99\nefforts when adopting cloud computing technologies and to review cloud service contracts for\ncompliance with applicable standards.\n\n\n\n\n6\n\x0cSection 1: Cloud Contracting\nFinding 1: Federal Agencies Need to Include More Detailed Cloud\nContracting Specifications\nBased on the results collected for the CIGIE cloud computing initiative, OIGs found that all 77\ncommercial cloud contracts reviewed did not include specifications for the agency and the CSP\nto adhere to, including detailed SLAs, data preservation responsibilities, roles and\nresponsibilities, Federal regulation requirements, and audit and investigative access for OIGs. 15\nAlthough the contracts tested did contain some of the elements, no one contract included all of\nthe elements. This occurred in part because there is not a single, authoritative source that\nspecifies the requirements agencies should consider when procuring cloud computing services\nand that requires Federal agencies to incorporate those requirements into cloud computing\ncontracts. Additionally, in some instances, agencies had not implemented policies and\nprocedures, or effective risk management processes, to ensure that all cloud contracts contained\nthe provisions noted. As a result, the reviewed agencies have not implemented adequate controls\nin their contracts to monitor and manage their CSPs and the data that reside within the systems,\nsubjecting Federal data to the risk of loss or exposure to unauthorized parties. Furthermore,\nbecause 42 contracts, totaling approximately $317 million, did not include detailed SLAs\nspecifying how a provider\xe2\x80\x99s performance was to be measured, reported, or monitored, the\nagencies are not able to ensure that CSPs meet adequate service levels, which increases the risk\nthat agencies could misspend or ineffectively use Government funds.\n\nNIST recommends that if the terms of a default service agreement do not address all consumer\nneeds, the consumer should discuss modifications to the SLA with the provider prior to use. 16\nRegarding consumer needs, the Chief Information Officers (CIO) Council and the Chief\nAcquisition Officers (CAO) Council issued a cloud computing best practices report that provides\nspecific guidance on how Federal agencies should effectively procure cloud services within\nexisting regulations and laws. 17 For example, it suggests agencies establish terms of service\n(TOS) agreements that detail how end-users may use the services, the CSP\xe2\x80\x99s responsibilities, and\nhow the CSP will deal with customer data. It also recommends that Federal agencies require\nCSPs to allow forensic investigations for both criminal and non-criminal purposes. In addition,\nthe report recommends that the agency and CSP should have an SLA with clearly defined terms,\ndefinitions, and penalties for failure to meet SLA performance measures.\n\nSpecific details of our testing are as follows.\n\n\n\n15\n   Data preservation responsibilities address how long the CSP must maintain the agency\xe2\x80\x99s data, whether the agency\nor CSP retains the data ownership rights, and how the CSP should sanitize the data throughout the system lifecycle.\n16\n   The default SLAs of public clouds specify limited promises that providers make to consumers, limit the remedies\navailable to consumers, and outline consumer obligations in obtaining such remedies. NIST SP 800-146, Cloud\nComputing Synopsis and Recommendations, May 2012.\n17\n   The CIO Council and CAO Council guidance, Creating Effective Cloud Computing Contracts for the Federal\nGovernment Best Practices for Acquiring IT as a Service, February 24, 2012.\n\n\n                                                                                                                 7\n\x0cService Level Agreement\n\nOIGs found that 64 cloud contracts reviewed lacked detailed SLAs, which define the expected\nlevel of service the CSP will deliver and the service credit available to the consumer if the CSP\nfails to deliver the service at the specified level. 18 For example, OIGs found that 42 contracts did\nnot specify how a provider\xe2\x80\x99s uptime percentage performance (the level of system availability that\nthe CSP must provide to the agency for a specific period of time) was to be measured, reported,\nor monitored. Specifically, of the 42 contracts, OIGs found:\n\n       \xe2\x80\xa2   15 contracts reviewed did not specify the required uptime percentages for the CSP.\n\n       \xe2\x80\xa2   24 contracts did not describe how the uptime percentage was calculated. This calculation\n           is critical so that the agency can verify the CSP is meeting the stated uptime percentages.\n\n       \xe2\x80\xa2   27 contracts did not detail remedies the CSP would pay to the agency if the CSP did not\n           meet uptime requirements. NIST SP 800-146 states that if a CSP fails to provide the\n           stated availability, the CSP should compensate consumers in good faith with a service\n           credit for future use of cloud services.\n\n       \xe2\x80\xa2   23 contracts did not assign someone from the agency to monitor the actual uptime,\n           compare it to the uptime percentage specified in the contract, and pursue service credits,\n           when applicable. NIST SP 800-146 states that the consumer is generally responsible for\n           obtaining a service credit and the consumer must provide timely information about the\n           nature and the time length of the outage.\n\nIf an agency does not monitor and verify the uptime percentage, the agency cannot be assured\nthat it will receive a service credit if the CSP does not meet its uptime percentages.\n\nData Preservation\n\nOIGs found that 34 cloud contracts did not include data preservation requirements. Data\npreservation responsibilities should address how long the CSP must maintain the agency\xe2\x80\x99s data,\nwhether the agency or CSP retains the data ownership rights, and how the CSP should sanitize\ndata throughout the system lifecycle. 19\n\nNon-Disclosure Agreements (NDAs)\n\nOIGs found that 33 CSPs did not sign an NDA with the agency to protect non-public information\nthat is procurement-sensitive, or affects pre-decisional policy, physical security, or other\ninformation deemed important to protect.\n\n\n\n\n18\n     NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011.\n19\n     NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011.\n\n\n8\n\x0cSince CSP personnel have access to, and control of the Federal data residing in the cloud system,\nNDAs are a critical control to ensure CSPs protect the information being stored in the cloud. 20\n\nIn addition, the 39 contracts that included NDAs were reviewed and OIGs found that 27 did not\nestablish rules of behavior specifically within the NDA for the CSP, nor did they establish a\nmethod within the NDA for the agency to monitor end-user activities in the cloud environment. 21\nDefining a method for the agency to monitor end-user activities provides the agency with a\nprocess to verify adherence to the NDA.\n\nRoles and Responsibilities\n\nOIGs found that 22 contracts did not contain TOS specifications. TOS requirements generally\ninclude how end-users may use the services, the responsibilities of the CSP, and how the CSP\nwill handle customer data. To effectively manage cloud services, the Federal agency and the\nCSP must clearly define their roles and responsibilities. NIST states that an agency should\nunderstand both its responsibilities and those of the CSP before using a cloud service.\nAccordingly, the CSPs and the agencies must agree to all terms to ensure that both parties fully\nunderstand their duties when providing and using a cloud service.\n\nFederal IT Regulatory Requirements\n\nOIGs found that 44 contracts did not completely address applicable Federal rules and\nregulations. In addition to contract roles and responsibilities, agencies that use cloud computing\ncontracts are subject to unique policy and regulatory requirements. Federal agencies must ensure\nthat any selected cloud computing solution is configured, deployed, and managed to meet the\nsecurity, privacy, and other requirements of the organization. 22 Furthermore, NIST states that\nthe Federal Information Security Management Act of 2002 (FISMA) and the associated NIST\nstandards and special publications (e.g., FIPS 199, FIPS 200, SP 800-53) are applicable to cloud\nsystems. 23\n\nAccess to CSPs for Audit and Investigative Purposes\n\nFrom the sampled contracts that were reviewed for the presence of specifications for audit and\ninvestigative access in cloud contracts, the OIGs found the following:\n\n\n\n\n20\n   The CIO Council and CAO Council guidance, Creating Effective Cloud Computing Contracts for the Federal\nGovernment Best Practices for Acquiring IT as a Service, February 24, 2012.\n21\n   The rules of behavior, which are required in OMB Circular A-130, Appendix III, and are a security control\ncontained in NIST SP 800-53, should clearly delineate the responsibilities and expected behavior of all individuals\nwith access to the system. NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems,\nFebruary 2006.\n22\n   NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011.\n23\n   One of the agencies that participated in the cloud computing initiative is not required to follow NIST guidance,\nbut considers the guidance to be a best practice.\n\n\n                                                                                                                  9\n\x0c     \xe2\x80\xa2   61 contracts reviewed did not include language to allow agencies to conduct forensic\n         investigations for both criminal and non-criminal purposes without interference from the\n         CSP.\n\n     \xe2\x80\xa2   65 contracts did not detail procedures for electronic discovery when conducting a\n         criminal investigation.\n\n     \xe2\x80\xa2   54 contracts did not include language to allow the OIG full and unrestricted access to the\n         contractor\xe2\x80\x99s (and subcontractor\xe2\x80\x99s) facilities, installations, operations, documentation,\n         databases, and personnel used in performance of the contract in order to conduct audits,\n         inspections, investigations, or other reviews.\n\nOIG offices of audit and investigations must have access to CSP and subcontractor personnel,\nfacilities, and Federal agency information to perform their statutory oversight roles. The CIO\nCouncil and CAO Council cloud computing best practices report states that Federal agencies\nshould require CSPs to allow forensic investigations for both criminal and non-criminal\npurposes, and these investigations should be able to be conducted without affecting data integrity\nand without interference from the CSP. 24\n\nWithout proper access to the CSP and the services being provided, OIGs cannot verify that\nappropriate security controls are in place to reduce risk to a level acceptable to the agency.\nAdditionally, limiting OIG access to CSP facilities and data could compromise and interfere with\naudits and criminal investigations.\n\nThe nature of cloud computing requires customers to cede control to the CSP on a number of\nissues that may affect security, such as incident management or patch management. At the same\ntime, service agreements may not offer or include a commitment from the CSP to provide such\nservices, thus leaving a gap in security. 25 Without detailed contract specifications that include\nSLAs, data preservation responsibilities, roles and responsibilities, regulation requirements, and\naudit and investigative access, the Federal Government\xe2\x80\x99s data stored within the cloud\nenvironment could be at risk, which affects all Federal programs, personnel, and citizen data in\nthe cloud environment. Additionally, without the ability to determine how the CSPs\xe2\x80\x99\nperformance is measured, reported, or monitored, the Government does not have the ability to\nensure that CSPs are meeting required service levels, which increases the risk that agencies could\nmisspend or ineffectively use Government funds.\n\nCIGIE concluded that Federal agencies must take steps to ensure that cloud computing\narrangements are meeting the needs of the Government. OMB should develop guidance\nspecifying the clauses agencies must incorporate into cloud computing contracts.\n\n\n24\n   Recognizing this issue, the CIGIE IT Committee drafted clauses that would ensure OIG audit and investigative\naccess and proposed including the clauses in the Federal Acquisition Regulation (FAR) to the FAR Council in\nJanuary 2012.\n25\n   European Network and Information Security Agency (ENISA), Cloud Computing: Benefits, Risks, and\nRecommendations for Information Security, November 2009.\n\n\n10\n\x0cRecommendation 1\n\nOMB needs to develop guidance defining a minimum set of requirements that Federal agencies\nmust incorporate into a cloud contract when they adopt cloud computing technologies.\n\n\n\n\n                                                                                        11\n\x0cSection 2: FedRAMP Compliance\nFinding 2: Federal Agencies Must Meet FedRAMP Requirements\nOMB issued a policy memorandum on December 8, 2011 requiring cloud systems utilized by\nexecutive departments and agencies to be FedRAMP compliant by June 5, 2014. OIGs\ndetermined that 59 reviewed systems were not compliant with FedRAMP by the required\ndeadline of June 5, 2014. FedRAMP establishes a risk-based approach for adopting and using\ncloud services and includes standardized security requirements. 26 Sixteen of the nineteen\nagencies participating in this review had contracts that did not meet this deadline. Ultimately,\nthis occurred because the agencies did not adequately plan in order to meet the June 5th deadline\nand the FedRAMP PMO does not have the authority to enforce FedRAMP compliance at the\nagency level. Additionally, agencies reported that their contractors were noncompliant because\nthe contractors did not believe they were required to be FedRAMP compliant. Compounding the\nproblem, the OIGs found that for 30 of the 59 noncompliant systems, the agencies did not\nestablish a comprehensive inventory of all cloud services. 27 FedRAMP states that establishing\nan inventory of all cloud services within an agency is a critical step on the path to FedRAMP\ncompliance. Once the agency establishes its inventory, it needs to work with CSPs to update\ncontractual requirements and determine the path each cloud system will take to become\nFedRAMP compliant. FedRAMP\xe2\x80\x99s purpose is to ensure that cloud-based services have an\nadequate information security program that addresses the specific characteristics of cloud\ncomputing and provides the level of security necessary to protect government information. The\nfailure of the cloud system to address and meet FedRAMP security controls increases the risk\nthat Federal program data may be compromised, intercepted, or lost, which could expose the data\nto unauthorized parties.\n\nFedRAMP was announced on December 8, 2011, via an OMB policy memorandum, that\naddressed the security authorization process for cloud computing services. 28 In the\nmemorandum, OMB requires each executive department or agency to use FedRAMP when\nconducting risk assessments and security authorizations, and granting an authority to operate for\nthe use of cloud services. FedRAMP\xe2\x80\x99s goal is to provide a cost-effective, risk-based approach\nfor adopting and using cloud services. It includes:\n\n     \xe2\x80\xa2   Standardized security requirements for the authorization and ongoing cybersecurity of\n         cloud services for selected information system impact levels; 29\n\n26\n   One agency, accounting for 4 of the 59 contracts, is not required to follow FedRAMP guidance. However, the\nagency has chosen to comply with these requirements and developed a cloud security policy requiring its cloud\nservice providers to be FedRAMP-certified.\n27\n   Nine of the nineteen agencies that participated in the CIGIE cloud initiative noted inventory issues.\n28\n   OMB Memorandum for Chief Information Officers, Security Authorization of Information Systems in Cloud\nComputing Environments (December 8, 2011).\n29\n   The system\xe2\x80\x99s security category is determined in accordance with Federal Information Processing Standard 199.\nAfter the category is determined, the contractor should apply the appropriate set of baseline controls as required in\nthe FedRAMP Cloud Computing Security Requirements Baseline document to ensure compliance with security\nstandards. The FedRAMP baseline controls were originally based on NIST SP 800-53, Revision 3. An updated\nsecurity control baseline was released on June 6, 2014, based on Revision 4.\n\n\n12\n\x0c     \xe2\x80\xa2   An assessment program capable of producing consistent independent, third-party\n         assessments of security controls implemented by CSPs;\n\n     \xe2\x80\xa2   Authorization packages of cloud services reviewed by a JAB consisting of security\n         experts from the Department of Homeland Security, Department of Defense, and the\n         General Services Administration; 30\n\n     \xe2\x80\xa2   Standardized contract language to help executive departments and agencies integrate\n         FedRAMP requirements and best practices into acquisitions of cloud systems; and\n\n     \xe2\x80\xa2   A repository of authorization packages for cloud services that can be leveraged\n         Government-wide.\n\nDue to the unique risks presented by cloud computing environments, FedRAMP incorporated\ncontrols from NIST SP 800-53 into its baseline security control framework for use with cloud\nsystems. According to OMB, all cloud services currently implemented were required to comply\nwith FedRAMP by June 5, 2014.\n\nCIGIE concluded that OMB needs to strengthen Federal agencies\xe2\x80\x99 compliance with FedRAMP\xe2\x80\x99s\nrequirements.\n\nRecommendation 2\nOMB needs to determine how best to enforce FedRAMP compliance.\n\nRecommendation 3\nOMB needs to establish a process and reporting mechanism to ensure Federal agencies require\nCSPs to meet the FedRAMP authorization requirements in a timely manner.\n\n\n\n\n30\n  Authorization packages contain the body of evidence needed by authorizing officials to make risk-based decisions\nregarding the information systems providing cloud services. This includes, at a minimum, the security plan, security\nassessment report, plan of action and milestones, and a continuous monitoring plan.\n\n\n                                                                                                                13\n\x0cSection 3: Cloud Inventory Management\nFinding 3: Federal Agencies Must Develop Accurate Cloud System\nInventories\nDuring the course of work performed by the OIGs for the CIGIE cloud computing initiative, they\ndetermined that 9 of 19 agencies did not have an accurate and complete inventory of their cloud\nsystems. This occurred in many instances because the inventory process at select agencies relied\non manual reporting of the systems to a centralized office, such as the CIO\xe2\x80\x99s office; the agency\nofficials were not consistently applying the NIST definition of cloud computing; or a\ncombination of both. Without accurate and complete inventories, the agencies involved do not\nknow the extent to which their data reside outside their own information system boundaries and\nare subject to the inherent risks of cloud systems. These risks include isolation failure,\ninterception of data in transit, and insecure or ineffective deletion of data. 31 These risks could\nexpose agency data to unauthorized parties and potentially compromise the objectives of the\nagencies\xe2\x80\x99 programs.\n\nOMB requires Federal agencies to follow NIST guidance. 32 According to NIST, Federal\nagencies need to develop and document an inventory of information system components that:\n(1) accurately reflects the current information system, (2) includes all components within the\nauthorization boundary of the information system, and (3) includes the granularity deemed\nnecessary for tracking and reporting. 33\n\nIn addition, the Council on Cybersecurity designated an inventory of hardware and an inventory\nof software as the top two critical security controls for building a secure network. 34 The critical\ncontrols are a recommended set of actions for cyber defense that provide specific and actionable\nways to mitigate the most pervasive attacks. Attackers are continuously scanning the address\nspace of target organizations, waiting for new and unprotected systems to be attached to a\nnetwork. Therefore, it is critical to maintain an asset inventory of all systems connected to the\nnetwork, including the network devices themselves, and to include every system that has an\nInternet protocol address on the network. Without an accurate and complete cloud system\ninventory, agencies cannot ensure the appropriate controls are in place to protect the systems and\ntheir data.\n\n\n31\n   Isolation failure is the failure of the mechanisms that separate the data of different clients on the same cloud, thus\nexposing sensitive data to unauthorized users. Interception of data in transit occurs when an unauthorized party uses\nsniffing or man-in-the-middle attacks to intercept data being sent to or from the cloud. Insecure or ineffective\ndeletion of data occurs when data are not truly erased from the cloud at the end of a cloud service contract.\n32\n   OMB M-14-04, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, November 18, 2013.\n33\n   NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, April\n2013.\n34\n   The Council on Cybersecurity is a consortium of U.S. and international agencies and experts from private industry\nand around the globe. They provided recommendations for what ultimately became the critical security controls. In\n2013, the stewardship and sustainment of the controls was transferred to the Council on Cybersecurity, an\nindependent, global non-profit entity committed to a secure and open Internet.\n\n\n14\n\x0cCIGIE views the consistent application of a cloud computing definition, in accordance with\nNIST guidance, as a critical element for establishing a complete and accurate inventory of cloud\nsystems. CIGIE concluded that all Federal agencies need to ensure that they have an accurate\nand complete inventory of their cloud-based systems.\n\nRecommendation 4\nOMB needs to incorporate routine reviews of agency information system inventories into the\ncontinuous monitoring process.\n\n\n\n\n                                                                                             15\n\x0cScope and Methodology\nThis report is a compilation of the results of a Government-wide review initiated by the CIGIE\nIT Committee and conducted by Federal OIGs. The objective was to conduct a Government-\nwide review of Federal agencies\xe2\x80\x99 cloud computing efforts using a standard methodology based\non an audit program developed by NASA OIG. The NASA OIG had used the program in an\nearlier audit of cloud computing efforts at NASA. CIGIE invited all Federal OIGs to take part in\nthis consolidated effort, and 19 OIGs participated (see Appendix A). USDA OIG agreed to\ncoordinate this effort on behalf of CIGIE.\n\nThe report was prepared to highlight crosscutting issues and lessons learned from the\nGovernment-wide review. As a result, CIGIE provided recommendations for OMB\xe2\x80\x99s\nconsideration. In compiling the results contained in this report, USDA OIG did not conduct or\nperform any additional audit work pertaining to the results received.\n\nBased on the information obtained by the 19 participating OIGs, the universe contained 348\ncommercial cloud contracts with a value of about $12 billion. Each participating OIG used its\nown sampling methodology to select a sample of cloud IT services and service providers that had\nactive contracts in fiscal year (FY) 2014. 35 For example, some agencies judgmentally selected\ncloud service providers based on contract value, system risk, or a combination of the two. The\ntotal sample of contracts reviewed by the 19 OIGs was 77; however, the applicability of each\nquestion varied by contract. This resulted in a total response of less than 77 for some\nquestions. For reporting purposes, the number reported is the number of \xe2\x80\x98No\xe2\x80\x99 responses per\nquestion for the total sample of 77 contracts.\n\nTo answer the objectives of this coordinated review, 18 of the 19 participating OIGs were\nprovided a standardized matrix of questions to ensure each of the participating OIGs had a\nconsistent foundation for developing their testing methodologies. For the remaining OIG,\nNASA, USDA OIG used its final audit report to incorporate applicable testing results\xe2\x80\x94\nAppendix B contains a link to NASA\xe2\x80\x99s report. Each participating OIG conducted its review\nindependently and verified its results through its internal quality control process. Once an OIG\nvalidated its results, it transmitted those results to USDA OIG for consolidation. USDA OIG\nrelied on the participating OIGs internal quality control review process and therefore did not do\nany audit work to validate the results received.\n\nParticipating OIGs used a combination of methodologies to obtain each agency\xe2\x80\x99s testing results,\nincluding inspections, evaluations, and audits in compliance with generally accepted government\nauditing standards (GAGAS) procedures. Therefore, the consolidated report is not a GAGAS\ncompliant performance audit. To accomplish the initiative\xe2\x80\x99s objectives, each participating OIG\ninterviewed applicable personnel and reviewed supporting documentation, as necessary, for a\nsample of cloud systems under contract in FY 2014 to determine compliance with applicable\nFederal and agency standards.\n\n35\n  The NASA OIG report was issued July 29, 2013 and the results from this report were included in this consolidated\nreport. The scope of that report included cloud contracts that were in effect while audit fieldwork was conducted\nfrom June 2012 to June 2013.\n\n\n16\n\x0cFor this review, each OIG obtained an inventory of its agency\xe2\x80\x99s cloud systems. Some OIGs\nsolicited the information from their agencies through a survey, others obtained an inventory list\nfrom their Office of the Chief Information Officer, and some used both methods. Due to\ninventory issues noted, agencies could not verify the completeness or accuracy of their cloud\nsystems inventory; therefore, USDA OIG cannot be certain that all cloud systems were identified\nfor inclusion in the agencies\xe2\x80\x99 universe. Additionally, due to the large number of cloud service\ncontracts reported by the participating OIGs, USDA OIG could not verify the accuracy of the\ndollar values associated with the inventory provided.\n\nPersonnel from participating OIGs conducted fieldwork between January and August 2014, at\napplicable agency locations throughout the United States. 36\n\n\n\n\n36\n     The NASA audit report was issued July 29, 2013, based on field work conducted from June 2012 \xe2\x80\x93 June 2013.\n\n\n                                                                                                                 17\n\x0cAbbreviations\n\nCAO ............................ Chief Acquisition Officer\nCIGIE .......................... Council of the Inspectors General on Integrity and Efficiency\nCIO .............................. Chief Information Officer\nCSP ............................. cloud service provider\nENISA ......................... European Network and Information Security Agency\nFAR ............................. Federal Acquisition Regulation\nFedRAMP ................... Federal Risk and Authorization Management Program\nFISMA ........................ Federal Information Security Management Act\nFY ............................... fiscal year\nGAGAS ....................... generally accepted government auditing standards\nIG ................................ Inspector General\nIT ................................. information technology\nJAB ............................. Joint Authorization Board\nNASA.......................... National Aeronautics and Space Administration\nNDA ............................ non-disclosure agreement\nNIST ............................ National Institute of Standards and Technology\nOIG ............................. Office of Inspector General\nOMB ........................... Office of Management and Budget\nPMO ............................ Program Management Office\nSLA ............................. service level agreement\nSP ................................ special publication\nTOS ............................. terms of service agreements\nUSDA.......................... U. S. Department of Agriculture\n\n\n\n\n18\n\x0cAppendix A: List of Participating Offices of Inspector General\nThe OIGs for the following agencies participated in the CIGIE Cloud Computing initiative, and\nthis report reflects their results.\n\n       1. Department of Agriculture (USDA)\n       2. Department of Commerce (DOC)\n       3. Department of Education (Ed)\n       4. Department of Energy (DOE)\n       5. Department of the Interior (DOI)\n       6. Department of Justice (DOJ)\n       7. Department of Labor (DOL)\n       8. Department of Transportation (DOT)\n       9. Environmental Protection Agency (EPA)\n       10. General Services Administration (GSA)\n       11. National Aeronautics and Space Administration (NASA)\n       12. National Endowment for the Humanities (NEH)\n       13. National Labor Relations Board (NLRB)\n       14. Board of Governors of the Federal Reserve System and the Consumer Financial\n           Protection Bureau (CFPB)\n       15. Office of Personnel Management (OPM)\n       16. Pension Benefit Guaranty Corporation (PBGC)\n       17. Social Security Administration (SSA)\n       18. United States Agency for International Development (USAID)\n       19. United States Postal Service (USPS)\n\n\n\n\n                                                                                           19\n\x0cAppendix B: Individual Reports Issued as Part of the CIGIE Cloud\nComputing Initiative\nSome participating OIGs have completed and published agency-level reports as part of the work\nperformed in conjunction with the CIGIE Cloud Computing initiative. Some OIGs have work in\nprocess and will be issuing agency level reports in the future. If an OIG has released a report,\nthe following table includes a link to its released report.\n\n\n  Agency                                         Report Link\n   DOE         http://energy.gov/node/962096\n   EPA         http://www.epa.gov/oig/reports/2014/20140724-14-P-0323.pdf\n  NASA         http://oig.nasa.gov/audits/reports/FY13/IG-13-021.pdf\n               https://www.nlrb.gov/sites/default/files/attachments/basic-page/node-1700/OIG-\n   NLRB\n               AMR-74-14-03%20-%20%20Cloud%20Computing.pdf\n               http://www.opm.gov/our-inspector-general/reports/2014/status-of-cloud-\n     OPM\n               computing-environments-within-opm-4a-ci-00-14-028.pdf\n   USDA        http://www.usda.gov/oig/webdocs/50501-0005-12.pdf\n               https://www.uspsoig.gov/sites/default/files/document-library-files/2014/it-ar-14-\n     USPS\n               009.pdf\n\n\n\n\n20\n\x0c'